FTC reaches settlement with PayPal over "misleading" Venmo practices

The app's transfer, security, and privacy policies were found lacking

The Federal Trade Commission (FTC) has announced a settlement with Venmo parent PayPal over allegations that the peer-to-peer payments app misled customers over its account transfers, privacy, and security.

Back in 2016, a PayPal SEC filing revealed that it was under investigation by the FTC, which was looking into Venmo’s business practices. The main complaint is that PayPal told Venmo users they could transfer their balances to external bank accounts immediately, but the reality was that the transactions were still subject to review, and could be reversed or frozen. This led to many customers being unable to pay their rent or other bills because they could not transfer money from their Venmo accounts instantly. Moreover, Venmo’s notification policy told users money had been deposited into an account even when the transactions were under review, which allowed scammers to exploit the system.

The app also suffered from several privacy issues, including a feature that took contact details from users’ phones so they could be automatically ‘friended’ on the app, and the fact all transactions were public by default. The FTC added that Venmo should not have told users they were protected by “bank-grade security.” Up until March 2015, it didn’t inform people when their password or email had been changed or when a new device was added, which allowed hackers to compromise accounts without users finding out they were being robbed.

“Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” said Acting FTC Chairman Maureen K. Ohlhausen. “The payment service also misled consumers about how to keep their transaction information private. This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”

Venmo isn’t facing any financial penalties for its actions. In addition to making disclosures about its transaction and privacy practices, the settlement requires Venmo to undergo third-party compliance assessments every other year, for the next ten years.